Re: Test question

[George Patterson <george () laopdr com>]

Ryan, and those wondering...

Quoting from section 1.4.3 of the Snort User Manual

" ... The Alert rules applied first, then the Pass rules, and finally the Log
rules.
 This sequence is somewhat counterintuitive, but it's a more foolproof method
than
 allowing the user to write a hundred alert rules and then disable them all
with an
 errant pass rule. For more information on rule types, see Section 2.2.1.
...." 

George Patterson


Ryan Hill wrote:
> > Ronneil,
>  
> If you don't change the rule processing order (snort -o), then AFAIK, the
> alert will trigger irregardless of the pass rule since alert rules will be
> processed first in the engine.  Generally, if you've written any pass rules,
> you want to use snort -o to utilize them.  The default option is not using
> them (probably for performance reasons - one can speculate).
>  
> BTW: Good suggestions Phil.  I'm getting double triggers as the messages
> pass over two sensors before reaching me... lol
>  
> <snip false alarm generating sig here>
>  
> Regards,
>
>
> Ryan Hill, MCSE
> IT Ninja 
> Corporate Information Systems 
> TeleCommunication Systems, Inc. (TCS) - http://www.telecomsys.com
> <http://www.telecomsys.com/>  
> v: 206.792.2276 - f: 206.792.2001 
> pgp: 0x17CE70AB

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users